I'm trying to renew my code signing certificate, which is used as a PFX (and password).
Godaddy, our cert provider provides instructions on generating a CSR, however this appears to be outdated for Windows 10.
I called godaddy and they told me to use csrgenerator.com to generate something like:
-----BEGIN CERTIFICATE REQUEST-----
foo
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
bar
-----END PRIVATE KEY-----
I then pasted the CSR into godaddy's site and they said once the cert is rekeyed, I can download .pem and .spc files.
How am I supposed to create a PFX with password from this? If I understand correctly, I need to generate a CSR from my machine. The godaddy rep assure me that csrgenerator.com is generating a csr for my machine, but I've no idea how it is getting added to my certificates using MMC, much less how am I going to export the cert to a PFX. Even though I have the private key section, I don't see it being applied anywhere.
I know this question was asked several months ago, but I wanted to include a reply in case it helps anyone in the future. (I came across this post when I was trying to accomplish the same thing)
Follow these instructions to create a PFX file from the GoDaddy certificate:
https://www.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698
If you cannot complete these steps because the PFX option is greyed out, then the CSR generated does now allow the private key to be exported. I'm pretty sure the GoDaddy instructions linked in the question above are only for Windows Server. However, I was able to complete the following instructions on Windows 10 to generate a CSR that allowed the private key to be exported: http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
Related
I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
I have two different accounts of aws so the cert present on elb in one account,i want the same cert for different account because we have same dns.
How can i import same cert to different account as well.
When i try to get that cert and upload that cert with cert chain ,cert and private key it says certificate not in pem format. So that means get-server-cert api doesn't return pem format,it it?
Any help would be really appreciated.
Thankyou
When you export a server certificate from IAM, not enough information is returned to allow you to use the certificate elsewhere.
This is by design. It is a security feature.
You need to find the original private key. While you're at it, you can just use the original cert and chain files.
$ aws iam get-server-certificate --server-certificate-name ExampleCertificate
When the preceding command is successful, it returns the certificate, the certificate chain (if one was uploaded), and metadata about the certificate.
Note
You cannot download or retrieve a private key from IAM after you upload it.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#get-server-certificate
Assuming you are already ahead of me, here, and that you do have the original private key, you should be able to use the results from aws get-server-certificate for the cetificate and chain, because they should already be in PEM format, which looks like this:
-----BEGIN CERTIFICATE-----
...multiple lines of base64...
-----END CERTIFICATE-----
The certificate has exactly one such block, and the chain has one or more such blocks.
Your private key, in PEM format, looks similar, but has words other than CERTIFICATE in the boundary markers, such as RSA PRIVATE KEY.
Be sure the number of dashes on the left and right of each boundary marker is exactly 5.
I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error Input is not an X.509 certificate.
So I converted .pfx certificate to .pem using openssl and tried again - same result.
I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
-----BEGIN PRIVATE KEY----
-----END PRIVATE KEY------
----BEGIN CERTIFICATE-----
----END CERTIFICATE-------
So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?
I'm having troubles making my Amazon-servers secure and I need some help here.
I purchased a wildcard cert, and the company sent me lots of different files:
DigiCertCA2.pem
mydomain.pem
TrustedRoot.pem
And all the files in one file as a chain, and also the same files in .crt -format.
Now I'm trying to install these to the Amazon Elastic Load Balancer, which keeps telling me that the key is in wrong format. Amazon asks for these:
Private Key:
Public Key Certificate:
Certificate Chain:
What do I put and where to make this work?
I got it to work! Yay!
Here's what I did for anyone else having hard times with this. :)
Amazon ELB will ask for "Private Key", which is the key that you created the first time you needed to give your certificate issuer the CRS-code. My key was in wrong format, which can be seen by looking at the beginning of the file. I had it like this:
-----BEGIN PRIVATE KEY-----
And it should be like this:
-----BEGIN RSA PRIVATE KEY-----
So I did this to convert it to the right format:
sudo openssl rsa -in mydomain.key -out mydomain_new.key
Then copy-paste the contents of the mydomain_new.key -file, into the "Private Key" -textarea.
Next is the "Public Key Certificate". This is the contents of mydomain.pem -file.
And finally it's turn for the "Certificate Chain". This is the contents of the DigiCertCA2.pem -file.
And that's it. Amazon accepted it beautifully without complaints.
I have a certificate from GoDaddy, which I've previously used for an IIS hosted website. I've now converted the site over to an OWIN self-hosted WebAPI project and would like to use the same certificate for the new site on a brand new machine.
Do I need to install IIS just to import the certificate or is there a way to import it directly into the certificate store like you can with self-signed certificates?
Or does this need to be handled directly in the new OWIN project somehow?
You don't need IIS to import a certificate, you use certmgr (Certificate Manager). You should be able to import the certificate directly with the Windows certificate manager and then use netsh to register it for OWIN using its thumbprint.
SignalR with Self-Signed SSL and Self-Host
Just ignore the part where they import into Root Certification Authorities, GoDaddy is already a trusted CA (although you can download the cert chain/bundle and manually import that as well).
You can create a certificate manager snap-in by running MMC (start->run->MMC), then Add-Remove Snap-ins, choose Certificates. Save to Desktop.
Figured out my problem (though, I don't know if it will help anyone else if they encounter this). Turns out GoDaddy's "Download Certificate" page only downloads certificates without the private key. I had to export the certificate previously imported by IIS, then import it into my Personal store. I assume there's a way to get the private key w/o importing into IIS, but I personally don't know what it is (maybe I just missed a step somewhere this time around).
Yes, certificate must be installed with private key for it work with OWIN. I had to go through the same pain as most(all?) CA issue certificates without private keys. However you must have received the private key before hand. You must have your certificate in .crt format. This does not include the private key in it. So you need to create a certificate of .pfx format with private key in it.
If your private key is in plain text, then create .key file with plain text in as its content.Note that your .key file should have the standard first and last lines of private key else it'll complain about invalid key.
-----BEGIN PRIVATE KEY-----
<key-content>
-----END PRIVATE KEY-----
Now create a .pfx certificate using OpenSSL tool.
openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
To import this certificate just double click on .pfx file. In the import wizard choose 'Local Computer - Personal' as certificate store. After successful import you'd also notice a small (lock)key icon appearing on top of installed certificate icon.
Assuming you have bounded the server port with your OWIN application using netsh http add sslcert, it should start working!